Here’s today’s summary of all the security news that’s fit to print (and at least vaguely relevant to normal people).
The ICO is preening over having effectively shut down a cold-calling firm that breached rules on automated calls. The fine? £350,000. The company’s reaction? Liquidation. Hmmm. So pop quiz: what will the ICO do the first time someone is caught thoroughly breaching the new General Data Protection Regulations, say by using people’s data without their explicit consent? Who’s going to get the first €20m (that’s £15.6m in today’s wobbling Brexit-anxiety pounds) fine?
Cryptolocker stays in the news by spreading its malign influence from file storage to websites; there’s a new variant on the loose that encrypts WordPress sites. (Hint: your website was probably developed in WordPress). No decryption toolsets yet, so if your site isn’t backed up, it’s ransom time. As ever, weak site security is the underlying problem – perhaps you should ask your web developers what they’re doing about it?
WorldPay has kindly reminded us that retail remains the weak link. The news itself is tedious and geeky, but the summary is that lots of payment terminals out there have weak security and no-one’s getting around to updating them. The technology they’re using is supposed to have been switched off by now, but that would cut them off, which would mean less money for WorldPay. So instead the deadline for updating them has been extended, leaving lots of tasty vulnerabilities for the bad guys to exploit. Go ask your POS vendor if they have moved to SHA-2. If not, get a new till system.
The EU has kinda-sorta signed off on “Privacy Shield” – which, despite sounding like a Tena product, is in fact the temporary replacement for Safe Harbour until the GDPR comes along and breaks it all again. So for the time being you can send your data out to the States again, provided the US data processor “self-certifies” their compliance with the Annex II principles. I’ve only scanned them, but somehow I can feel a lawsuit coming on. I don’t think Schrems is just going to fade into the background on this one.
In probably related news, Microsoft has introduced a whole raft of additional security stuff for its Office365 and Azure cloud offerings. Some of it looks quite sensible, frankly, and deals with some of the key issues – like Microsoft’s US techs having access to your data. The challenge is that “going cloud” is supposed to make things simpler. It’s beginning to feel a bit like “simple, secure, inexpensive – choose one”. These features are good, but how many customers will understand and use them properly?
Let’s see what comes first: I run out of steam or the world runs out of security news I can credibly claim is interesting…